CCNP ICW实验手册资料

实验一：MPLS配置

实验环境：三台路由器Ethernet接口相连，接口配苴如图

要求：在三台路由器相连的接口分别启用MPLS,查看相应的结果，在启用前使其在OSPF下

互通。

步骤一：接口配置连通性，启用OSPF路由协议

RI(config-if)ttintcO/1

Rl(config-if)#ipadd10.1.1.1255.255.255.0

RI(config-if)#noshutdown

Kl(cuurig)#inLt-0/0

Rl(config-if)ttipadd20.1.1.1255255.255.0

RI(config-if)Unosh

Rl(config)#routerospf100)启用路由协议,发布接口

RI(config-router)ttnet10.1.1.00.D.0.255area0

RI(config-router)#net20.1.1.00.0.0.255area0

R2(config)#inteO/I

R2(config-if)ttipadd20.1.1.2255.255.255.0

R2(config-if)#nosh

R2(config-if)ttinte0/0

R2(config-if)«ipadd30.1.1.1255.255.255.0

R2(config-if)#nosh

R2(config)"routerospf100

R2(config-router)ttnet20.1.1.00.D.0.255area0

R2(config-router)«net30.1.1.00.D.0.255area0

R3(config)#inteO/1

R3(config-if)«ipadd30.1.1.2255255.255.0

R3(config-if)#nosh

R3(config-if)Ointe0/0

R3(config-if)#ipadd40.1.1.1255.255.255.0

R3(config-if)ttnosh

R3(config-if)#exit

R3(config)ttrouterospf100

R3(config-router)#net30.1.1.00.0.0.255area0

R3(config-router)#net30.1,1.00.0.0.255area0

步骤二：查看路由，并测试连通性

Rl#showiproute今查看路由表

20.0.0.0/24issubnetted,1subnets

C20.1.1.0isdirectlyconnected,Ethernet0/0

40.0.0.0/24issubnetted,1subnets

040.1.1.0[110/30]via20.I.1.2,00:00:15,Ethernet0/0

10.0.0.0/24issubnetted,1subnets

10.1.1.0isdirectlyconnected,EthernetO/1

30.0.0.0/24issubnetted,1subnets

030.1.1.0[110/20]via20.1.1.2,00:00:15,EthernetO/O

R2#showiproute

20.0.0.0/24issubnetted,1subnets

C20.1.1.0cuuneuled,EllteinelO/1

40.0.0.0/24issubnetted,1subnets

040.1.1.0[110/20]via30.I.1.2,00:00:23,Ethernet0/0

10.0.0.0/24issubnetted,1subnets

010.1.1.0[110/20]via20.L.1.1,00:00:23,EthernetO/1

30.0.0.0/24issubnetted,1subnets

C30.1.1.0isdirectlyconnected,Ethernet0/0

R3#showiprouteT查看路由表，都也学到相关路由

20.0.0.0/24issubnetted,1subnets

020.1.1.0F110/201via30.I.1.1.00:00:06.Ethernet0/1

40.0.0.0/24issubnetled,1subnets

40.1.1.0isdirectlyconnected,EthernetO/O

10.0.0.0/24issubnetted.1subnets

010.1.1.0[110/30]via30.L1.1,00:00:06,EthernetO/1

30.0.0.0/24issubnetted,1subnets

c30.1.1.0isdirectlyconnected,EthernetO/1

Raping40.1.1.19测试连通性

Typeescapesequencetoabort.

Sending5,100-bytcICMPEchosto40.1.1.1,timeoutis2seconds:

111fi

Successrateis100percent(5/5).round-tripmin/avg/max=4/4/4rrs

R3#ping10.1,1.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto,timeoutis2seconds:

Mill

Successrateis100percent(5/5):round-tripmin/avg/max=4/4/4irs

步骤三：启用相关接口的MPLS,及快速转发功能

Rl(config)Uipcef今启用快速转发功能

RI(config)#inte0/0

Rl(config-if)#mplsip)接口启用MPLS

R2(config)ttipcef

R2(config)ttinte0/l

R2(config-if)#mp1sip

R2(config-if)#intc0/0

R2(config-if)#mp1sip

R3(config)ttipcef

R3(config)#inte0/l

R3(config-if)#mp1sip

步骤四：查看MPLS状态

Rl#showmplsforwarding-table查看MPLS转发表

LocalOutgoingPrefixBytestagOutgoingNextHop

tagtagorVCorTunnelIdswitchedinterface

161640.1.1.0/240El0/020.1.1.2

17Poptag30.1.1.0/240El0/020.1.1.2

R2#showmplsforwarding-table

LocalOutgoingPrefixBytestagOutgoingNextHop

tagtagorVCorTunnelIdswitchedinterface

16Poptag40.1.1.0/240EtO/O30.1.1.2

17Poptag10.1.1.0/240ElO/120.1.1.1

R3#showmplsforwarding-table

LocalOutgoingPrefixBytestagOutgoingNextHop

tagtagorVCorTunnelIdswitchedinterface

16Poptag20.1.1.0/240EtO/130.1.1.1

171710.1.1.0/210EtO/130.1.1.1

Rl#showipcefsummary今查看CEI,转发汇总信息及标记信息

IPCEFwithswitching(TableVersion16),flags=0x0

16routes,0reresolve,0unresolved(0old,0new),peak0

16leaves,18nodes,20896bytes,21inserts,5invalidations

0loadsharingelements,0bytes,0references

universalper-destinationloadsharingalgorithm,id86C8F0BF

3(0)CEFresets,0revisionsofexisting1caves

ResolutionTimer:Exponential(currentlyIs,peakIs)

0in-place/0abortedmodifications

refcounts:4877leaf,4864node

Tableepoch:0(16entriesatthisepoch)

AdjacencyTablehas2adjacencies

R2#showipcefsummary

IPCEFwithswitching(TableVersion17),flags=0x0

17routes,0reresolve,0unresolved(0old,0new),peak0

171eaves,18nodes,21032bytes,22inserts,5invalidations

0loadiugeleiiiuiiLsr0byles,0iefeieuces

universalper-destinationloadsharingalgorithm,idFCD3DE86

3(0)CEFresets,0revisionsofexistingleaves

ResolutionTimer:Exponential(currentlyIs,peakIs)

0in-place/0abortedmodifications

refcounts:4879leaf,4864node

Tabicepoch:0(17entriesatthisepoch)

AdjacencyTablehas4adjacencies

R3#showipcefsummary

IPCEFwithswitching(TableVersion16).flags=0x0

16routes,0reresolve,0unresolved(0old,0new),peak0

16leaves,18nodes,20896bytes,21inserts,5invalidations

0loadsharingelements,0bytes,0references

universalper-destinationloadsharingalgorithm,id86B9347C

3(0)CEFresets,0revisionsofexistingleaves

ResolutionTimer:Exponential(currentlyIs,peakIs)

0in-place/0abortedmodifications

refcounts:4877leaf,4864node

Tableepoch:0(16entriesatthisepoch)

AdjacencyTablehas2adjacencies

注：也可用showipcefdetail这条命令来查看详细信息

Raping40.1.1.16测试连通性

Mill

R3#ping10.I.i.I

步骤五：显示当前配置信息

Rl#showrun

hostnameRI

ipcef

j

interfaceEthernet0/0

ipaddress20.1.L1255.255.255.D

half-duplex

tag-switchingip

interfaceEthernetO/1

ipaddress10.1.1.1255.255.255.0

half-duplex

j

routerospf100

network10.1.1.00.0.0.255areaD

network20.1.1.00.0.0.255area0

j

end

R2#showrun

hostnameR2

j

ipcef

interfaceEthernet0/0

ipaddress30.1.1.1255.255.255.•)

half-duplex

tag-switchingip

j

interfaceEthernet0/1

ipaddress20.1.1.2255.255.255.•)

half-duplex

tag-switchingip

j

routerospf100

network20.1.1.00.0.0.255areaD

network30.1.1.00.0.0.255areaD

j

end

R3#showrun

hostnameR3

!

ipcef

!

interfaceEthernet0/0

ipaddress40.1.1.1255.255.255.0

half-duplex

i

interfaceEthernet0/l

ipaddress30.1.1.2255.255.255.0

ha]f-duplex

lag-swilullingip

J

routerospf100

network30.1.1.00.0.0.255area•)

network40.1.1.00.0.0.255area0

end

实验二：ipsecsite-to-siteVPN配置

环境：两台路由器串口相连，接口配置如图

要求：用两个LOOP口模拟VPN感兴趣流来建立IPSECVPN,IKE1阶段用预共享密钥，IKE2

阶段哈希稣法用sha,加密算法用DES.

/24

Loop0Loop0

1.1.1J/24/24

步骤一：接口基本配置，并测试连通性

RI(config)#ints0

Rl(config-if)#ipadd10.1.1.1255.255.255.0

RI(config-if)#clockrate64000

RL(config-if)ttnosh

RI(config)(tintloop0

RI(config-if)ttipadd1.1.1.1255.255.255.0

R2(config)#intsi

R2(config-if)#ipadd10.1.1.2255.255.255.0

R2(config-if)#nosh

R2(config)#intloop0

R2(config-if)ttipadd1.1.2.1255.255.255.0

Riffping10.1.1.2今测试连通性，再做IPSEC

11111

Successrateis100percent(5/5)round-tripmin/avg/max=28/31/32ms

R2#ping10.1.1.1

11111

Successrateis100percent(5/5)：round-tripmin/avg/max=32/32/32ms

配置二：配置IKE1和IKE2两个阶段，并应用到接口

RI(config)ttcryptoisakmppolicy10今IKE1阶段策略

RI(config-isakmp)#authenpre-share今将验证修改为预共享

RI(config)ttcryptoisakmpkeyciscoaddress10.1.1.2今定义预共享密钥

RI(config)Ucryptoipsectransformmysetesp-sha-hmacesp-des

分定义2阶段的转换集

RI(config)Uaccess-list100permitip1.1.1.00.0.0.2551.1.2.00.0.0.255

今定义加密感兴趣流

RI(config)Ucryptomapmymap10ipsec-isakmp)定义2阶段加密图

%NOTE:Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccess1isthavebeenconfigured.

RI(config-crypto-map)ftnatchaddress1006将列表应用到加密图

RI(config-crypto-map)Ssetpeer10I.1.2今指定对等体

RI(config-crypto-map)#settransform-setmyset今将转换集映射到加密图

RI(config)#inlsO

RI(config-if)Ucryptomapmyinap今将加密图应用到接LI

RI(config)ttiproute1.1.2.0255.255.255.020.1.1.2

今指定隧道感兴趣流的路由走向

R2(config)ttcryptoisakmppolicy10->R2与RI端策略要匹配

R2(config-isakmp)iiriuthenticationpre-share

R2(config-isakmp)#cxit

R2(config)ttcryptoisakmpkeyciscoaddress10.1.1.1今密钥一致,地址相互指

R2(config)#cryptoipsectransform-selmysetesp-desesp-sha-hmac

R2(cfg-crypto-trans)#exitT两端必须匹配，默认即为lunnel模式

R2(config)#access-list102permitip1.1.2.00.0.0.2551.1.1.00.0.0.255

今感兴趣流，两端互指

R2(config)ttcryptomapmyinap10ipsec-isakmp)加密图

%NOTE:Thisnewcryptomapwillremaindisableduntilapeer

andavalidaccesslisthavebeenconfigured.

R2(config-crypto-map)#setpeer10!.1.1今对端的物理地址

R2(config-crypto-map)#settransform-setmyset

R2(config-crypto-map)#matchaddress102

K2(cuufig-ciyplu-iutiplSeAiI

R2(config)Uiproute1.1.1.0255.255.255.010.1.1.16加密图感兴趣流的路由

R2(config)#intsi

R2(config-if)Ucryptomapmyinap+加密映射应用到接LI下

步骤三：测试流是否加密，直接用接口ping出

Rl#ping1.1.2.1

Successrateis100percent(5/5).round-tripmin/avg/max=32/33/36ms

R2#ping1.1.1.1

!I1II

Successrateis100percent(5/5).round-tripmin/avg/max=32/33/36ms

分别在RI和R2上查看两个阶段的关联

Rl#showcryptoisakmpsa今没有住何关联

dstsrestateconn-idslot

R2#showcryptoisaknipsa

srcstateconn-idslot

Rltfshowcryptoipsecsa今没有任何加需包，关联也没有建立

interface:ScrialO

Cryptomaptag:mymap,localaddr.10.1.1.1

localidem(addr/mask/prot/porl):(1.1.1.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/p«>rt):(1.1.2.0/255.255.255.0/0/0)

current_peer:10.1.1.2

PERMIT,flags={origin_is_acl}

#pktsencaps:0,#pktsencrypt:0,#pktsdigest0

#pktsdecaps:0,#pktsdecrypt:0,ttpktsverify0

即ktscompressed:0,#pktsdecompressed:0

即ktsnotcompressed:0,#pktscompr.failed:0,#pktsdecompressfailed:0

力senderrors0,ttreeverrorsD

localcryptoendpt.:10.1.1.I,remotecryptoendpl.:10.1.1.2

pathmtu1500,mediamtu1500

currentoutboundspi:0

inboundespsas:

inboundahsas:

inboundpepsas:

outboundespsas:

outboundahsas:

outboundpepsas:

R2#showcryptoipsecsa

interface:Serial1

Cryptomaptag:mymap,localaddr.10.1.1.2

localident(addr/mask/prot/porl):(I.1.2.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)

current_peer:10.1.1.1

PERMIT,flags={origin_is_acl：}

#pktsencaps:0,#pktsencrypt:0,#pktsdigest0

#pktsdecaps:0,#pktsdecrypt:0,tfpktsverify0

«pktscompressed:0.#pktsdecompressed:0

#pktsnotcompressed:0,Spktscompr.failed:0,#pktsdecompressfailed:0

加enderrors0,ttrecverrorsD

localcryptoendpt.:10.1.1.2,remotecryptoendpt.:10.1.1.1

pathmtu1500,mediamtu1500

currentoutboundspi:0

inboundespsas:

inboundahsas:

inboundpepsas:

outboundespsas:

outboundahsas:

outboundpepsas:

步骤四：用扩展ping来触发感兴趣流量

Rl#pingip

TargetIPaddress:1.1.2.1

Repeatcount[5]:10今将包调为10个，否则一个ping看不到效果

Extendedcommands[n]:y

SuuiuetiddiebbuxinluiTaue；1.1.I.1

Sending10,lOObyteICMPEchosto,timeoutis2seconds:

....!!!!!!今已经触发了感兴趣流，并且ping通

Successrateis60percent(6/10)round-tripmin/avg/max=84/84/84ms

步骤五：再次杳看两个阶段的关联，以及加密情况

Rl#showcryptoisasa->1KEI阶段关联已建立为快速模式

dstsrestateconn-idslot

10.1.1.210.1.1.1QM_IDLE10

Rl#showcryptoipsecsa

今IKE2阶段关联建立，并加密广流量,隧道也已成功建立

interface:SerialO

Cryptomaptag:mymap,localaddr.10.1.1.1

localident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/porl):(1.1.2.0/255.255.255.0/0/0)

current_peer:10.1.1.2

PERMIT,flags={origin_is_acL}

#pktsencaps:6,#pktsencrypt:6,ttpktsdigest6

Spktsdccaps:6,#pktsdecrypt:6,ttpktsverify6

即ktscompressed:0,#pktsdecompressed:0

即ktsnotcompressed:0,和ktscompr.failed:0,#pktsdecompressfailed:0

力senderrors14,#recverrors0

localcryptoendpt.:10.1.1.1,remotecryptoendpt.:10.1.1.2

pathmtu1500,mediamtu1500

currentoutboundspi:84AEB2E6

inboundespsas:

spi:Ox1E44ABID(507816733)

transform:csp-dcsesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2000,flow_id:1,cryptomap:mymap

satiming:remainingkeylifetime(k/sec):(4607999/3520)

IVsize:8bytes

replaydetectionsupport:Y

inboundahsas:

inboundpepsas:

outboundespsas:

spi.0A84AEB2EG(2226011574)

transform:esp-desesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2(X)1,flow_id:2,cryptomap:mymap

satiming:remainingkeylifetime(k/sec):(4607999/3520)

IVsize:8bytes

replaydetectionsupport:Y

outboundahsas:

outboundpepsas:

R2#showcryptoisasa

(1stsrestateconn-idslot

10.1.1.210.1.1.1Q\lIDLE10

R2#showcryptoipsecsa

interface:Serial1

Cryptomaptag:mymap,localaddr.10.1.1.2

localidcnt(addr/mask/prot/port):(1.1.2.0/255.255.255.0/0/0)

remoteident(addr/mask/prot/port):(1.1.1.0/255.255.255.0/0/0)

current_peer:10.1.1.1

PERMIT,flags={origin_is_acl}

#pktsencaps:6,#pktsencrypt:6,ttpktsdigest6

#pktsdecaps:6,#pktsdecrypt:6,ttpktsverify6

ttpktscompressed:0.^pktsdecompressed:0

即ktsnotcompressed:0,ffpktscompr.failed:0,#pktsdecompressfailed:0

△senderrors0,#recverrors0

localcryptocndpt.:10.1.1.2,remotecryptoendpt.:10.1.1.1

pathmtu1500,mediamtu1500

currentoutboundspi:1E44ABID

inboundespsas:今进站流已经产生

spi:0x84AEB2E6(2226041574)

transform:esp-desesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2000,flowid:1,cryptomap:mymap

satiming:remainingkeylifetime(k/scc):(4607999/3502)

IVsize:8bytes

replaydetectionsupport:Y

inboundahsas:

inboundpepsas:

outboundespsas:今出站流已经产生

spi:0xlE44ABlD(507816733)

transform:csp-dcsesp-sha-hmac,

inusesettings={Tunnel,}

slot:0,connid:2001,flow_id:2,cryptomap:mymap

satiming:remainingkey1ifetimc(k/sec):(4607999/3502)

IVsize:8bytes

replaydetectionsupport:Y

outboundahsas:

outboundpepsas:

配置五：查看当前的配置

Rl#showrun

hostnameRI

!

cryptoisakmppolicy10

authenticationpre-share

cryptoisakmpkeyciscoaddress10.1.1.2

;

cryptoipsectransform-setmysetesp-desesp-sha-hmac

j

cryptomapmymap10ipsec-isakmp

setpeer10.1.1.2

settransform-setmyset

matchaddress102

•

interfaceLoopbackO

ipaddress1.1.1.1255.255.255.0

t

interfaceSerialO

ipaddress10.1.1.1255.255.255.0

clockrate64000

cryptomapmymap

iproute1.1.2.0255.255.255.010.1.1.2

access-list102permitip0.0.0.2551.1.2.00.0.0.255

!

end

R2#showrun

hostnameR2

j

cryptoisakmppolicy10

authenticationprc-sharc

cryptoisakmpkeyciscoaddressID.1.1.1

!

cryptoipsectransform-setmysetesp-desesp-sha-hmac

j

cryptomapmymap10ipsecisakmp

setpeer10.1.1.1

settransform-setmyset

matchaddress102

interfaceLoopbackO

ipaddress1.1.2.1255.255.255.0

i

interfaceSerial1

ipaddress10.1.1.2255.255.255.D

cryptomapmymap

!

iproute1.L1.0255.255.255.010.1.1.1

j

access-list102permitip1.1,2.00.0.0,2551.1.1.00.0.0.255

j

end

实验三：GREVPN的配置

环境：三台路由器串口相连，接口配置如图

要求：在RI和R3之间建立GRE隧道，地址如图

GRP实验拓扑

步骤一：接口配置连通性，

RI(config)#intsO

Rl(config-if)#ipadd20.1.1.1255.255.255.0

RI(config-if)ttnosh

RL(config-if)ttinlloO

Rl(config-if)#ipadd10.1.1.1255255.255.0今虚拟私有网络

Rl(config)#iproute0.0.0.00.0.0020.1.1.2)上互联网的缺省路由

ISP(config)#ints01【SP路由器虚拟互联网

ISP(config-if)#ipadd30.1.1.1255.255.255.0

ISP(config-if)#clra64000

ISP(config-if)#nosh

ISP(config-if)#intsi

13P<cunrig-if)#ipadd20.1.1.2253.255.255.0

ISP(config-if)#clra64000

ISP(config-if)«nosh

R3(cor)fig)#intsi

R3(config-if)#ipadd30.1.1.2255.255.255.0

R3(config-if)#nosh

R3(config-if)#intloo0

R3(config-if)#ipadd10.1.1.1255255.255.0今虚拟私有网络

R3(config-if)#exit

R3(config)Uiproute0.0.0.00.0.0,030.1.1.2今上互联网的缺省路由

步骤二：测试哪些可达，哪些不可达

R3#ping10.1.1.11由于ISP没有私网的路由

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto10.1.1.1,timeoutis2seconds:

U.U.U

Successrateis0percent(0/5)

R3#ping20.I.1.I9合法地址是能做通讯的

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto,timeoutis2seconds:

»111r

Successrateis100percent(5/5)round-tripmin/avg/max=56/60/64ms

步骤三：实施GRE隧道技术

RI(config)ttinttunnel0进入隧道接口

Rl(config-if)#ipadd100.1.I.1255.255.255.0今指定【P地址,两端要在一个网段

RI(config-if)tttunnclsourcesO指定承载隧道的源和目的接口

RI(config-if)tttunneldestinationJO.1.1.2

RI(config-if)ttnosh

Rl(config)#iproute40.1.1,0255.255.255.0LunnelO今为私有网络指路由走tunnel

接口

R3(config)ttinttunnel0

R3(config-if)«ipadd100.1.1,2255.255.255.0

R3(config-if)#tunnelsourcesi互指源和H的

R3(config-if)tttunne1destination20.1.1.I

R3(config-if)#nosh

R3(config-if)#exit

R3(config)#iproute10.1.1.0255.255.255.0tunnel0今指对端的私有网络

步骤四：做PING测试

Raping40.1,1.16都已PING通,证明GRE隧道已建立

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto40.1.1.1,timeoutis2seconds:

Successrateis100percent(5/5)：round-tripmin/avg/max=72/72/76ms

Raping10.1.1.1

Typeescapesequencetoabort.

Sending5,100-byteICMPEchosto10.1.1.1,timeoutis2seconds:

Successrateis100percent(5/5).round-tripmin/avg/max=72/72/76ms

步骤五：验证结果

RISshowinttunnel0

TunnelOisup,lineprotocolisupftunnel接口己经UP

HardwareisTunnel

Internetaddressis100.1.1.1/24

R3#showinttunnel0

TunnelOisup,lineprotocolisup

HardwareisTunnel

Internetaddressis100.1.1.2/24

Rl#showinttunnel0accounting->tunnel接口的统计信息，包的统计

TunnelO

ProtocolPktsInCharsInPktsOutCharsOut

IP101000101000

R3#showinttunnel0accounting

TunnelO

ProtocolPktsInCharsInPkisOutCharsOut

IP101000101000

步骤六：显示当前配置

Rltfshowrun

hostnameRI

!

interfaceLoopbackO

ipaddress10.1.1.1255.255.255.0

j

interfaceTunnelO

ipaddress100.1.1.1255.255.2550

tunnelsourceSerialO

tunneldestination30.1.1.2

j

interfaceSerialO

ipaddress20.1.1.1255.255.255.0

j

iproute0.0.0.00.0.0.020.1.1.2

iproute40.1.1.0255.255.255.0TunnelO

End

ISP#showrun

hostnameISP

interfaceSerialO

ipaddress30.I.1.1255.255.255.0

clockrate64000

I

interfaceSerial1

ipaddress20.1.1.2255.255.255.•)

clockrate64000

end

R3#showrun

hostnameR3

i

interfaceLoopbackO

ipaddress40.1.1.1255.255.255.0

j

interfaceTunnelO

ipaddress100.1.1,2255.255.2550

tunnelsourcesi

tunneldestination20.1.1.1

!

interfaceSerial1

ipaddress30.1.1.2255.255.255.0

i

ipioule0.0.0.00.0.0.030.1.1.2

iproute10.1.1.0255.255.255.0TunnelO

end

实验四：静态VS.动态CryptoMap批注［微软中国1)：加密映射

功能:将所有必要的岩息组织在•起来构建•个Ipsec

会话…管理和数据连接…到远端的刻等设法.

岸态的cryptomap条目的一个问题是，必须指定远程对等设缶的IP地址.如果本地或者远程

R动态获得它们的地址信息是,会变得寸常困难.

topology

10.1.1.0/24-routerl-172.16.171.10——172.16.171.20-router2-10.1.2.0/24

Basicroute

Routerl:

iproute0.0.0.00.0.0.0172.16.171.20

Router2:

批注［微软中国2J:在路由器上建、工了一个可用的

iproute0.0.0.00.0.0.0172.16.171.10

ISKAMP/IKE的管理连接策略

IKEPhaseIpolicy批注［微软中国3|:打定用于设备验证的万法.

Routerl:批注［微软中国41:后定使用「哪种加密算法.

cryptoisakmppolicy1

批注［微软中国51:后定「使用的DH制仍组.

aulhenlicalionper-shared

hashIIK15批注【微软中国外为设备验证配置一个对称的预共享

encryption3des密钥.0表示后面的密钥(cisco)不加密.6代表已经被加

group2密.

cryptoisakmp6keyciscoaddress172.16.171.20批注【微软中国7):适配一个密钥.使其能够用于多个对

等体•.

Router2:

批注I微软中国8J:定义保护方法:然认模式是tunnel,

cryptoisakmppolicy1

transonn-set传输娓定义数据流域是否被保护的一安

aullieuliualiunper-sliaied

全协议和算法/功能.对于数据SA能物成功协商,在两台

hashmd5

1Pe时等设备之间至少有一个匹配的传输集.

encr3dessc

group2批注I微软中国9|：

cryptoisakmpkeyciscoaddress00.0.00.0.0.0csp-dcsES加密

csp-sha-hmacESP完整性校验

IPSecPhase11policy

批注［微软中国10)：定义被保护的滤盘

Routerl:

批注【微软中国1"：使用ISAKMPJIKE.为vpn建立.

cryptoipsectransform-setciscoesp-dcsesp-sha-hmac

cryptomap的条目.

access-list101permitip10.1.1.00.0.0.25510.1.2.00.0.0.255批注【微软中国12):指定了对于crypi。ACL中指定的流

卅.R应当和谁连接.

BialicCryploMap)

批注【微软中国13):用户保护去往setpeer命令中指定

cryptomapvpn10ipsec-isakmp

的对等设名的流量.

setpeer；172.16.171.20

settransform-setcisco批注［微软中国14］:指定保护流帚的crjptoACL的名字

matchaddress]1ist101或者号码.如果引用了不存在的cryptoACL,router将丢

弃所有的发送给他们的未保护流最

Router2:

cryptoipsectransform-setciscoesp-desesp-sha-hmac

DynamicCryptoMap|

cryptodynamic-mapdynamap10

settransform-setcisco批注［微软中国15)：必要命令.其他命令是可选.

cryptomapvpn10ipsec-isakmpdynamicdynamap批注【微软中国16):动态crypt。不需要应用到路由器的